Are You Buck-Naked in a Coffee Shop?

How often do you go into a coffee shop, are at a convention center or in a hotel lobby, open up your laptop or take out your smartphone, and log on to what you assumeis the open, public Wifi?

Well guess what? It might be…or it might not. A “man-in-the-middle” attack might be going on at that moment and what you think is the name of the public Wifi hotspot might instead be emanating from someone’s laptop as they masquerade as a hotspot.

When you logon to that rogue hotspot, anything unsecured such as checking your email, using file transfer protocol (FTP) programs to upload files or simply anything traveling over that internet connection from your laptop to the Wifi hotspot can be captured (no, not your banking website or most ecommerce ones since they use Secure Socket Layer (SSL) which gives you that little padlock in your web browser showing your logon is secure).

That’s right: for many online activities your usernames and passwords are traveling in the air and easily logged by that jerk running the man-in-the-middle attack.

The first time I wrote about this was here in January of 2005; again here in July of 2007 (where I wrote about solutions); and yet again in January of 2008. Here I am, slightly over one year later, writing about this yet again since I’m seeing zero public alerts or hardly any awareness of the issue by tech leaders and, what sparked it again today, was because Michael Janke had this post about Cafe Crack, a suite of open source software that even a small-propeller-on-my-beanie could make work. 

This Cafe Crack suite is too easy folks and has been out there for some time as evidenced by the fact that the page was last updated in December 2007 (I had no idea it was even out there). Not only is it even simpler to pull off a man-in-the-middle attack than I’d previously thought, it’s going to be a larger problem going forward.

The reason it’ll be a bigger problem is the sheer volume of people accessing Wifi hotspots. For example, when you have people like I know (my daughter; friends; and colleagues) who always access any random hotspot with their iPhones in order to get online, or as netbooks and other similar devices continue to accelerate in popularity, this problem is going to get very, very big and alot of usernames and passwords are going to get stolen (let alone theft or mischief being directed at the services they access).

Protect yourself and do NOT logon to any random hotspot unless you’ve taken steps to ensure you’re protected or not using insecure applications. Tell your friends. I’ve got some solutions listed in that July post, “Are You *Still* Naked in a Coffee Shop?” that you could use and I suggest you do…

…or just sit there naked while others enjoy.